July 24, 2023

In science and public policy, a principal goal is to develop an elegant solution. Elegance is generally defined as the simplest statement that most completely solves the problem. The quintessential example of scientific elegance is Einstein’s explanation of the theory of relativity E=mc2. Beautiful.

The Biden Administration has just released its proposal to address the persistent problem of duplicative and at times contradictory cybersecurity regulation. It is a Request for Information (ROI) asking companies, trade associations, academics – pretty much anyone – to describe the various contradictions, inconsistencies overlap in cyber regulations at the federal, state, local and international levels in as much detail as possible, assess the costs and describe the methodologies as to how they came to these conclusions and more.

It is almost inconceivable what a convoluted mis-mash of variously organized and documented reports, papers, letters, and studies this will generate. It’s not so much the size ONCD will have to translate, synthesize, validate before analyzing pretty complicated and technical material — analysis can’t really automated. That’s a lot of work and it’s not like ONCD doesn’t have a pretty full plate.  All to discover that there are a wide variety of conflicts and inconsistencies in the federal, state, local and international cybersecurity regulation.

Then what?  Apparently, the outcome of all this work is the creation of a reciprocity framework that will allow “the recognition or acceptance by one regulatory agency of another agency’s assessment, determination, finding, or conclusion with respect to the extent of a regulated entity’s compliance with certain cybersecurity requirements,” 

This sounds like the “solution” is to anticipate that regulators in one sector or agency will voluntarily cede authority to a different regulatory agency over cyber regulation.  Count me as skeptical that that will ever happen. Regulators are generally not in the habit of voluntarily giving up jurisdiction authority – and budget – to another agency. 

This is not an elegant solution. It’s not actually a solution at all. It’s really an exercise – a long convoluted exercise in admiring the problem with no clear resolution on the other end.

In fact, it’s puzzling why ONCD is proposing we go through this exercise at all.  I thought we all already agreed there was massive duplication/conflict with cybersecurity regulation that is wasting, depending on the sector 40-70% of scarce cybersecurity resources.  I know ISA, and many industry colleagues, have been making this case for 15 years. There have been Congressional hearings and GAO studies on this for years.

In fact, the Biden Administration’s own National Cybersecurity Strategy released just over 3 months ago stated, “Where federal regulations are in conflict, duplicative, or overly burdensome, regulators must work together to minimize these harms.” At the launch event for the National Strategy Anne Neuberger said “organizations need to only be regulated once and we need to work to make that the case. This is a responsibility of government.  We owe this to the private sector; this one is on us.”

So why are we going backward asking the private sector to again document this issue when we actually need, in the national interest, to solve it and move on.

It’s worth noting that unlike most cybersecurity problems that are the result of sophisticated attacks by criminals and nation states—this particular problem is caused 100% by government. Government can and ought to solve it, not study.  As Ms. Neuberger, put it so well “This is a responsibility of government.  We owe this to the private sector; this one is on us.” I would only add – and right away.

Fortunately, there is a faster, simpler, and more effective solution.  The Office of Management and Budget (OMB) can simply issue a requirement stating that any new cybersecurity regulation needs to be accompanied by a finding from the agency proposing the regulation that it is not duplicative or contradictory with an existing cybersecurity regulation.

This simple step would do two things. First, it stops the continuing process of issuing redundant and contradictor regulations.  The Biden Administration has made it quite clear that they intend to use existing authority to issue a variety of new cyber regulations. Assuming we are concerned about regulatory overlap – and why else would they be issuing the ROI – it makes no sense to be promulgating new regs unless we know we are not making the regulatory overlap problem worse. The OMB requirement is a simple step that stops the bleeding – essentially puts a tunicate on the problem. This is good, but wait, there’s more.

Second this simple requirement would also have the effect of forcing the regulating agencies to review all their cyber regs for duplication or conflict their existing regulations before they offer new ones.  It is the regulatory agencies themselves that are in the best position to analyze their own regulations rather an almost infinite number of organizations with varying jurisdictions business plans and available staff.  In fact, the agencies could probably make enormous headway in defining the problem just with a well-crafted inquiry to Prof. Chat/GTP.

In the long run streamlining the regulations will probably save the agencies themselves time and money allowing them to be more effective on their core mission – waste doesn’t make any one better.

So this simple OMB mandate can both immediately stop the growth of wasteful and inconsistent cybr regulation while simultaneously launching the fastest, most efficient and cost effective way to define and solve the regulatory morass problem.


Tags: ,